id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

In ff_id3v2_parse(), prevent unsigned integer overflow if data length indicator is skipped and tlen is < 4. Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.

id3v2: prevent unsigned integer overflow in ff_id3v2_parse()
In ff_id3v2_parse(), prevent unsigned integer overflow if data length indicator is skipped and tlen is < 4. Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
64be0d1e · Stefano Sabatini · b69e5ee9 · 64be0d1e
Commit 64be0d1e authored May 17, 2011 by Stefano Sabatini
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

id3v2.c libavformat/id3v2.c +2 -0

No files found.
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -255,6 +255,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
        next = avio_tell(s->pb) + tlen;

        if (tflags & ID3v2_FLAG_DATALEN) {
+            if (tlen < 4)
+                break;
            avio_rb32(s->pb);
            tlen -= 4;
        }